The UK’s NCSC and international partners warn that China‑nexus threat actors are increasingly routing operations through massive proxy networks made from hijacked SOHO routers, cameras, video recorders, and NAS devices to evade detection. Agencies highlighted botnets and state-linked groups tied to these covert networks and urged defenses like multifactor authentication, dynamic threat feeds, IP allowlists, and zero‑trust controls. #RaptorTrain #VoltTyphoon
Keypoints
- China‑nexus hackers are shifting from individually procured infrastructure to large botnets of compromised consumer devices.
- Raptor Train infected over 260,000 devices in 2024 and was linked to activity attributed to Flax Typhoon and Integrity Technology Group.
- KV‑Botnet exploited outdated Cisco and Netgear routers and was disrupted by the FBI, though revival attempts were observed.
- Traditional defenses that block static IP lists are less effective against continually changing covert proxy networks.
- Organizations are advised to deploy MFA, map edge devices, use dynamic threat feeds, apply IP allowlists, and adopt zero‑trust and machine certificate verification.